Skip to content
HN On Hacker News ↗

aws.com and google.com don't have DNSSEC enabled

▲ 17 points 22 comments by moquilabs 4w ago HN discussion ↗

Pangram verdict · v3.3

We believe that this document is fully human-written

0 %

AI likelihood · overall

Human
100% human-written 0% AI-generated
SEGMENTS · HUMAN 2 of 2
SEGMENTS · AI 0 of 2
WORD COUNT 216
PEAK AI % 0% · §1
Analyzed
Jun 11
backend: pangram/v3.3
Segments scanned
2 windows
avg 108 words each
Distribution
100 / 0%
human / AI fraction
Verdict
Human
Pangram v3.3

Article text · 216 words · 2 segments analyzed

Human AI-generated
§1 Human · 0%

I was looking at verisign's public dns whois checker and I got this crazy result. Amazon.com doesn't have dnssec enabled. # To verify run: ~ ❯ delv amazon.com ; unsigned answer amazon.com. 2 IN A 98.82.161.185 amazon.com. 2 IN A 98.87.170.71 amazon.com. 2 IN A 98.87.170.74 Surely aws.com has it enabled? ~ ❯ delv aws.com ; unsigned answer aws.com. 59 IN A 143.204.142.107 aws.com. 59 IN A 143.204.142.125 aws.com. 59 IN A 143.204.142.53 aws.com. 59 IN A 143.204.142.119 Okay google.com has it enabled: ~ ❯ delv google.com ; unsigned answer google.com. 141 IN A 173.194.42.101 google.com. 141 IN A 173.194.42.113 google.com. 141 IN A 173.194.42.102 google.com. 141 IN A 173.194.42.138 google.com. 141 IN A 173.194.42.100 google.com. 141 IN A 173.194.42.139 Okay there's something seriously wrong, this tool is broken, or my client is wrong.

§2 Human · 0%

what about cloudflare: ~ ❯ delv cloudflare.com ; fully validated cloudflare.com. 134 IN A 104.16.132.229 cloudflare.com. 134 IN A 104.16.133.229 cloudflare.com. 134 IN RRSIG A 13 2 300 20260612003424 20260609223424 34505 cloudflare.com. bK9MssAMDa7/6dM0CJ0tRYisBorQ8vaDDWrhyvvzJjO7qp6ogft0eUdy c22Loq0Lw172ClsPmz2CWW5WLBMWfQ== So it's not my tool because cloudflare is working. Can someone please explain what is happening? AWS themselves has an article about this. With no dnssec, there is no way to cryptographically prove that the DNS records are accurate, so DNS server's cache could return an attacker IP.